Report: Target Could Have Prevented That Enormous Data Breach

In an epic loss of customer information, 40 million credit card numbers and personal data from 70 million customers were stolen during an attack on Target that lasted from Nov. 27 to Dec. 18, when the big box store finally shut it down. But should Target have caught on earlier?

Bloomberg Businessweek reports that Target officials could have beenmadeaware of the attack on Nov. 30 and again on Dec. 2. On both daysthe big-box store’s malware detection software, made by FireEye, sent an alert to Target's security monitors in Bangalore, India, who then contacted Target's security team in Minneapolis. But for some reason, they apparently didn't respond to either alert.

Advertisement

Congress is now investigating the situation, and congressional testimony shows that federal law enforcement officials got in touch with Target about the breach on Dec. 12. Businessweek spoke to 18 people who either worked on Target's cybersecurity in the past or have specific internal knowledge of the breach.

The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.

Target is not the first company to experience mass group denial about a security problem and miss an opportunity to deal with it as a result. In December, news broke that SnapChat had known about flaws in its user information security for four months and hadn't done anything to close the loopholes. And even when the company was forced to acknowledge the weakness publicly, it still took two weeks to release an update and correct the problem.

If the situation seems totally incomprehensible, think about your personal devices. Do you download every software update or patch the moment it’s released? The situation with Target is negligent, whereas failing to download an update on a personal device tends to stem from laziness and usually has consequences only for yourself. But they may share a common root feeling: It'll never happen to me. Except then it did happen.